File integrity monitoring tools use hashes to validate that files match their original content. If the files change, the hashes will not match, allowing the tool to alert administrators that a change has occurred. Drive encryption and file encryption both protect the confidentiality of data but don't indicate changes without a signature. File availability monitoring is not a typical tool, although system or service availability monitoring is.

Endpoint detection and response (EDR) tools are most likely to use hashing to match known malicious files like this. Firewalls may provide the capability, but system logs do not, ruling out the “all of the above” option.

Group Policy is the most common way of deploying baselines throughout Windows organizations. Group Policy Objects (GPOs) are set and managed across the entire Active Directory organization, allowing them to be modified for groups or specific purposes while inheriting most settings from the top of the organizational structure. PowerShell is a scripting tool, and both PowerShell and Group Policy are commonly used for specific purposes, but GPOs are typically preferred at scale. Manual configuration is not recommended for an entire organization.

A common technique to ensure that traffic sent via unsecure protocols remains secure is to wrap it using TLS. SD‐WAN is used to manage external connectivity, and there is no mention of files, only of an unsecure protocol. Even if files were encrypted, the rest of the traffic might leak information. Hashing does not leave data recoverable, making it unusable for this type of use in almost all cases.

Passwordless authentication avoids making users provide a password or PIN by using a proof of identity from a device or token. Windows Hello, cell‐based authenticator applications, and FIDO2 security keys all support this, but entering a PIN does not.

Since ICS and SCADA devices need connectivity as part of their design, Laura knows that using segmentation to place the devices in a secure network is likely her best hardening option. Isolating the devices would break the functionality of ICS/SCADA systems. Neither ICS nor SCADA devices typically have support for host‐based firewalls or host‐based IPS.

The detection and analysis phases of the incident response process both commonly leverage IoCs to detect and then correlate information to identify incidents. Preparation might involve setting up threat feeds and building automations to help notify security administrators of issues. Containment and eradication may leverage threat data to help understand common actions taken by threat actors, but the SIEM detecting and correlating events is not typically part of containment or eradication.